| Message ID | 20220630170301.4431-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 2651989d3b94 |
| Headers | show |
| Series | libsepol: do not modify policy during write | expand |
On Thu, Jun 30, 2022 at 1:04 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Do not modify the in memory default_range value of a class datum while > writing a policy. > > While on it fix indentation. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/write.c | 16 +++++++++------- > 1 file changed, 9 insertions(+), 7 deletions(-) > > diff --git a/libsepol/src/write.c b/libsepol/src/write.c > index 48ed21ea..a9fdf93a 100644 > --- a/libsepol/src/write.c > +++ b/libsepol/src/write.c > @@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) > p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || > (p->policy_type == POLICY_BASE && > p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { > + char default_range = cladatum->default_range; > + > buf[0] = cpu_to_le32(cladatum->default_user); > buf[1] = cpu_to_le32(cladatum->default_role); > - if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { > + if (!glblub_version && default_range == DEFAULT_GLBLUB) { > WARN(fp->handle, > - "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", > - p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, > - p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); > - cladatum->default_range = 0; > - } > - buf[2] = cpu_to_le32(cladatum->default_range); > + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", > + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, > + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); > + default_range = 0; > + } > + buf[2] = cpu_to_le32(default_range); > items = put_entry(buf, sizeof(uint32_t), 3, fp); > if (items != 3) > return POLICYDB_ERROR; > -- > 2.36.1 >
On Thu, Jun 30, 2022 at 2:45 PM James Carter <jwcart2@gmail.com> wrote: > > On Thu, Jun 30, 2022 at 1:04 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Do not modify the in memory default_range value of a class datum while > > writing a policy. > > > > While on it fix indentation. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libsepol/src/write.c | 16 +++++++++------- > > 1 file changed, 9 insertions(+), 7 deletions(-) > > > > diff --git a/libsepol/src/write.c b/libsepol/src/write.c > > index 48ed21ea..a9fdf93a 100644 > > --- a/libsepol/src/write.c > > +++ b/libsepol/src/write.c > > @@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) > > p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || > > (p->policy_type == POLICY_BASE && > > p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { > > + char default_range = cladatum->default_range; > > + > > buf[0] = cpu_to_le32(cladatum->default_user); > > buf[1] = cpu_to_le32(cladatum->default_role); > > - if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { > > + if (!glblub_version && default_range == DEFAULT_GLBLUB) { > > WARN(fp->handle, > > - "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", > > - p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, > > - p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); > > - cladatum->default_range = 0; > > - } > > - buf[2] = cpu_to_le32(cladatum->default_range); > > + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", > > + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, > > + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); > > + default_range = 0; > > + } > > + buf[2] = cpu_to_le32(default_range); > > items = put_entry(buf, sizeof(uint32_t), 3, fp); > > if (items != 3) > > return POLICYDB_ERROR; > > -- > > 2.36.1 > >
diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 48ed21ea..a9fdf93a 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || (p->policy_type == POLICY_BASE && p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { + char default_range = cladatum->default_range; + buf[0] = cpu_to_le32(cladatum->default_user); buf[1] = cpu_to_le32(cladatum->default_role); - if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { + if (!glblub_version && default_range == DEFAULT_GLBLUB) { WARN(fp->handle, - "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", - p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, - p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); - cladatum->default_range = 0; - } - buf[2] = cpu_to_le32(cladatum->default_range); + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); + default_range = 0; + } + buf[2] = cpu_to_le32(default_range); items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) return POLICYDB_ERROR;
Do not modify the in memory default_range value of a class datum while writing a policy. While on it fix indentation. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/write.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)